Is this a bug, or something my brain doesn't get?

[Guest]

[m0ng0d]

I wanted to attach the popup, but I miskeyed grabbing it, so the log entry will have to do; please check the screenshot below.

In my screenshot, I have MailWasher (3rd party e-mail spam helper) attempting to go out to my ISP to inspect my e-mail.  The highlighted record corresponding to the details section is that attempt, and the log entry below it in the list is the call to the NS to get the IP for my ISP's pop3 server.

Some helpful background....  MailWasher.exe loads with windows on startup (into the systray), and as such, seems to have been assigned the parent of explorer.exe.  I have App rules in place to allow mailwasher to do access the web.

So my PC is all freshly booted... I load up Firefox off my QuickBar... and it gets associated to explorer.exe as its parent as well.  I do my browsing & decide to check my e-mails with Mailwasher.  And no sooner do I press its button to check my e-mails... the suspicious behavior popups start rolling in.

And in this lies my confusion...

• How can "Child B" of "Parent A" be considered a threat to "Child A" of "Parent A" when the 2 of them never interact?
• Is it that CPF assumes a parent can have only one child?
• If I trust the Detail message and block the action, why is it MailWasher that gets blocked? ... I thought it was firefox that was "misbehaving" (according to the details)
• Does the Detail message even belong to the activity at hand?

Is there a bug here?  Or am I just not understanding something?  Which of the 6 things monitored under Application Behavior Analysis does CPF think is going on here?

I'd get similar "collisions" in many applications with services.exe as the parent of svchost.exe (if i remember correctly).

Are there some configuration steps I can take to eliminate these kinds of "collisions", while still maintaining my security?

[panic]

• How can "Child B" of "Parent A" be considered a threat to "Child A" of "Parent A" when the 2 of them never interact?
• Is it that CPF assumes a parent can have only one child?
• If I trust the Detail message and block the action, why is it MailWasher that gets blocked? ... I thought it was firefox that was "misbehaving" (according to the details)
• Does the Detail message even belong to the activity at hand?

Hey Dan,
1) While A and B don't interact, for this association to be made, there must be a common factor - I smell OLE cooking.
2) CPF correctly acknowledges multiple children for a single parent.
3) MailWasher gets blocked because it is the subject of the rule/condition violation. The details are reporting how the nominated app was being affected. If a wheel falls off the car, the effect is "car don't go" - cause is lack of round bit. CPF, in the case of OLE alerts, looks like it highlights "effect" and details "cause". Sort of vice versa thinking, but I can see their logic (providing I've interpreted it correctly  )
4) Only through the common element - OLE.

Dan, I think you're at the point where you will have to compromise between security and productivity. Glad it's you and not me. LOL

Hope this helps,
Ewen :-)

P.S. If I've got any of this wrong, or if someone else can explain it better, please jump in. I'm married - I'm used to corrections. LOL

[m0ng0d]

Ah... when reading the Application Behavior Analysis list... my brain stopped at "Monitor COM attempts" when it should have read Monitor COM / OLE Automation attempts... at least that clears the "what setting" question...

According to the "Comodo_Firewall_2.3_vs_The_Leaktests.pdf", OLE Automation is defined as...

Windows operating system also provides inter process communication mechanism through COM interfaces. By using a COM interface hosted by a server application, a Trojan can hijack the application to connect to the Internet.

Which was the server application in this experience?  The shared parent explorer.exe?
And how was Mailwasher's desire/action to check my e-mail a result of inter process communication from Firefox?  I thought I pressed the button.

[panic]

Ah... when reading the Application Behavior Analysis list... my brain stopped at "Monitor COM attempts" when it should have read Monitor COM / OLE Automation attempts... at least that clears the "what setting" question...

Which was the server application in this experience?  The shared parent explorer.exe?
And how was Mailwasher's desire/action to check my e-mail a result of inter process communication from Firefox?  I thought I pressed the button.

Hey Dan,

Please bear in mind that I'm no OLE guru, I only delve into that stuff when I have to - similar to entering a teenagers bedroom - only done under duress, in dire circumstances and usually with a sense of dread! And a gasmask! LOL

My guess is that the server app would be explorer.exe - the windows shell. Objects initialized from the Quick Launch are actually init'd by explorer, as are autostarted apps from startup. There's one link between the two apps before we even get to OLE.

I don't know e3nough to go any further without researching. Did you want me to have a dig around and see what I can come up with?

Cheers,
Ewen :-)

[m0ng0d]

No, this wasn't homework for you ewen

I have no problem waiting for an official response.  I know they are busy developing, but I might get lucky!!
 

Like you said...

Dan, I think you're at the point where you will have to compromise between security and productivity. Glad it's you and not me. LOL

... it's just been one of those little things gnawing at me that I finally just had to write the question for.

[m0ng0d]

Ah, it seems I am regurgitating what others have already asked... like comicfan2000

And upon further reading...

Well, the case is closed.  I was told CPF doesn't have the capability to decide what's bad or not even if I am choosing to allow or not so it blocks the whole connection. So for most of us with this issue, it's reboot time or allow OLE.   I for one hope for this to be fixed some time as I am testing a lot of software and I simply can't be rebooting every time. Hope for a fix...

 Paul

So I guess I'll wait for the "It's fixed" or "It's been enhanced" postings.

Like mentioned by other users... I have gotten pretty good at eyeballing the popup, unchecking the "remember" box, and selecting Allow/Deny on the fly...  I just don't think I should have to.

[panic]

Ah, it seems I am regurgitating what others have already asked... like comicfan2000

And upon further reading...
So I guess I'll wait for the "It's fixed" or "It's been enhanced" postings.

Like mentioned by other users... I have gotten pretty good at eyeballing the popup, unchecking the "remember" box, and selecting Allow/Deny on the fly...  I just don't think I should have to.

No worries Dan. I'm like you, I leave OLE warnings turned on and just eyeball them. If they look odd, I deny, if they look good, I allow (even if its for an app that I recently closed - I think CPF is not keeping up with OLE connection close calls as quickly as it should.

cheers,
EWen :-)

[comicfan2000]

Howdy m0ng0d,

I copied my answer to you in my topic and will paste it here, two topics may be better than one 


 << Yes, I just wish I had an answer for everyone if this was going to be fixed or not. I haven't heard any definate on it or even a fraction of an answer to be honest.  I know for a fact that other firewalls , when a USER denies the OLE, you can still connect to the internet after. This is the one and only irritation I have with CPF. I do feel it's a security risk EG... If I am in the middle of something, I simply allow the darn thing so I don't have to reboot. Another EG...I don't like to allow WMP, I was doing some other online stuff, it pops up, if I wouldn't have allowed it, I would have had lost my ebay page etc...I wasn't too happy having to leave it slide. It will stop your connection dead even if on a web page. The minute you go to move on or refresh you get >Cannot find server. I am patiently waiting for an answer and irritably tolerating this right now but honestly if it doesn't get fixed, with all the software testing, graphics stuff, online stuff I do, I simply couldn't keep doing this with CPF and would have to find another.  Cry  Sad Cry

 Paul Sad >>


 Paul


AT EWEN: You hit the teenager's room right on. I have my closet filled with spare gas masks and rubber suits just in case. For the boys bathroom, I call in specialists! 

[Tags:]